[lxc-devel] [PATCH] Move back setcap for lxc-init

Guido Trotter ultrotter at google.com
Sun Mar 22 22:39:30 UTC 2009 

On Sun, Mar 22, 2009 at 10:24 PM, Daniel Lezcano <dlezcano at fr.ibm.com> wrote:
> Guido Trotter wrote:
>>
>> Putting setcap cap_sys_admin=ep $(libexecdir)/lxc-init in the
>> install-libexecPROGRAMS: overrides the default version of the target,
>> making lxc-init not actually installed anymore. Removing the overridden
>> target, and putting the setcap back where it was, in install-exec-local,
>> just with the correct path.
>>
>> Signed-off-by: Guido Trotter <ultrotter at quaqua.net>
>> ---
>>  src/lxc/Makefile.am |    5 ++---
>>  1 files changed, 2 insertions(+), 3 deletions(-)
>>
>> diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
>> index 28b7ac4..c2c33dd 100644
>> --- a/src/lxc/Makefile.am
>> +++ b/src/lxc/Makefile.am
>> @@ -128,9 +128,6 @@ lxc_restart_LDADD = liblxc.la
>>  lxc_version_SOURCES = lxc_version.c
>>  lxc_version_LDADD = liblxc.la
>>
>> -install-libexecPROGRAMS:
>> -        setcap cap_sys_admin=ep $(libexecdir)/lxc-init
>> -
>>  install-exec-local:
>>        - at export PATH=$$PATH:/sbin:/usr/sbin && \
>>         mkdir -p $(localstatedir) && \
>> @@ -140,6 +137,8 @@ install-exec-local:
>>         setcap
>> cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep
>> \
>>                $(bindir)/lxc-execute && \
>>                \
>> +        setcap cap_sys_admin=ep $(libexecdir)/lxc-init && \
>> +               \
>>         setcap
>> cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep
>> \
>>                $(bindir)/lxc-start && \
>>                \
>
> Well I tried this before but it looks like the lxc-init is not yet installed
> when we are trying to set the capabilty.
> You can check this by doing 'make uninstall install'
>
> I am wondering if creating a script to set these capabilities and call it at
> a post install rule won't be better.
>  - the script can be reused in the different package templates (eg.
> lxc.spec.in)

and debian/postinst, +1 for this option!! :)

>  - called from the Makefile

optionally, possibly! (so for debian builds I can disable it at
./configure time, and it will still be possible to call it at package
install time, but not at package build/make install time)

>  - and called manually from the shell
>

Sure, works for me.. :) Should this go in libexec too?

Thanks,

Guido

More information about the lxc-devel mailing list